Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-64650

Upgrade Commons FileUpload from 1.3.1-jenkins-2 to 1.4

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed (View Workflow)
    • Priority: Minor
    • Resolution: Fixed
    • Component/s: core
    • Labels:
      None
    • Similar Issues:
    • Released As:
      2.278

      Description

      Background

      See jenkinsci/jenkins#5174. Subsumes jenkinsci/jenkins#5171. See also the corresponding mailing list thread.

      Problem

      Jenkins core uses a fork of Commons FileUpload 1.3.1 (which was released upstream on February 7, 2014). Two changes were made to the Jenkins fork:

      1. DiskFileItem was made no longer Serializable in commit 28d997704f as part of SECURITY-159 on September 27, 2014. Upstream made the same change over 4 years later in 1.4 (which was released on December 23, 2018).
      2. The fix for CVE-2016-3092 (originally released upstream in 1.3.2 on May 26, 2016) was backported to the Jenkins fork in commit ea981a029c as part of SECURITY-490 on September 28-29, 2017.

      Solution

      As of 2021, the latest upstream release (1.4) contains all the changes present in the fork; therefore, the fork is no longer necessary. Furthermore, it prevents us from receiving upstream fixes.

      Solution

      Upgrade to the latest upstream release, Commons FileUpload 1.4.

        Attachments

          Issue Links

            Activity

            There are no comments yet on this issue.

              People

              Assignee:
              basil Basil Crow
              Reporter:
              basil Basil Crow
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: